Posted
by
samzenpus
on Thursday April 29, 2010 @12:49AM
from the best-little-botnet-in-Texas dept.

Julie188 writes "A Mesquite, Texas, man is set to plead guilty to training his 22,000-PC botnet on a local ISP — just to show off its firepower to a potential customer. David Anthony Edwards will plead guilty to charges that he and another man, Thomas James Frederick Smith, built a custom botnet, called Nettick, which they then tried to sell to cybercriminals at the rate of US$0.15 per infected computer, according to court documents."

Because being Goldman-Sachs guarantees a slap on the wrist? They have a nearly endless supply of lesser management pawns to absorb all blame and they make significantly more money being crooked than any fine might cost them.

It's like fining a a company 20 000 for dumping toxic waste that would have cost them 100 000 to get rid of legally.

They have a nearly endless supply of lesser management pawns to absorb all blame

Ooooh, that brings to mind a phrase which, if it hasn't been coined, should be.

"Ablative managment": The layers and layers of expendable mid-level cannon fodder with enough responsibility to absorb blame, enough purported independence to support plausible deniability for their superiors, and enough commodity interchangeable to be easily and cheaply ejected and replaced. Used to shield the precious core of Board Members, CxOs, Senior VPs from PR or legal flamage.

"Both men face a maximum of five years in prison and a $250,000 fine on one count of conspiring to cause damage to a protected computer and to commit fraud."

To bad there weren't some PC's compromised in Maricopa County Arizona. If so they should be sent over to that Sheriff Joe Arpaio and be on the chain gang for the whole 5 years. Yes I know it's voluntary (last I heard), but have a special one for some offenders. Or better yet have other states grow a backbone and have chain gangs set up in northern co

It's actually a little ironic. I used to know some botnet herders (around 10-11 years ago) who didn't use their bots for malicious purposes at all, or very seldomly at least. They would actively scan PCs and patch holes - sometimes by downloading Windows updates - and remove competing botnets and viruses. A lot of it tended to be automated, but some of it was genuinely manual labor.

It wasn't their main attraction of course, but the net gain was (sometimes) an overall benefit. A few of the better trojans (Ag

I've seen norton and mcafee break a computer's networking and radically slow down a powerful system just as much (and more-so) than the worst of the rogues and trojans. No doubt a grayhat (whitehat?) botnet would do some good. What frustrated computer tech hasn't wanted to put a benevolent botnet out there, to stave off the malevolent ones?

So the one count they're charged with is for invading a corporate computer. And the thousands of individual citizens' PCs they compromised are ignored. Somehow, I'm not surprised.

I don't think it's as clear cut as that. It's much easier to get evidence of 5,000 infections from a handful of sysadmins saying "We spent X hours cleaning up Y PCs as a result of this particular piece of malware" than it is to get 5,000 individuals to.

It's not exactly rocket science for either of them. For the target, you need to look at logs. For the zombies, you need to look for the bot software. Hell, if they've cracked the control software for the bot network (which it sounds like they have), it's a hell of a lot easier to gather evidence for the zombies.

So the one count they're charged with is for invading a corporate computer. And the thousands of individual citizens' PCs they compromised are ignored. Somehow, I'm not surprised.

Umm. Because the home PC's could be anywhere on Earth and they don't have resources to them track down, contact the owners, get them to file complaints and pursue 22,000 individual minor hacking claims?

I'm all for the chaingangs patching the roads. It takes 3 state/county supervisors to watch 5 state/ road crew workers screw off here. Nothing ever gets done. Private contractors work the city so only traffic watch them screw off. If we gotta feed and house these prisoners and it costs more in taxes all the time, then we need some work out of them.

Good idea! Unions have raised the costs of goods and services for everyone more than any Democratic tax hike I can recall. Convict powered road repair could under bid them all. A fleet of shovels can cost less than 1 road grader to 0perate. It's a green solution too.

Or better yet have other states grow a backbone and have chain gangs set up in northern cold states in the US patching pot holes!!

Fairfax chain gangs fill gaps for cash-strapped DOT
By Derek Kravitz
Washington Post Staff Writer
Monday, April 26, 2010
The vest-wearing, lawn-mower-pushing members of Fairfax County's modern chain gang don't look like jail inmates. Well-disciplined landscapers, yes. Orderly weed-whackers, perhaps. But not convicts. There are no chains, no handcuffs, no black-and-white striped jumpsuits. Just a handful of suntanned men wearing uniforms.
But take a closer look, and you'll see the tell-tale signs that these aren't your normal grass cutters -- the faded gang tattoos, the jail-issued plastic ID bracelets, the armed sheriff's deputy patrolling nearby. Still, confusion is inevitable.
"We get a lot of people asking us for business cards, and we have to point to our sheriff's office logo and say, 'Sorry,' " said Sheriff's Deputy Michael Pence, as he watched a handful of inmates mow grass on a recent Friday near a county office building in McLean.

I disagree, the number of individual crimes that proof can be found for IMO has little bearing on the appropriate sentance. Does it really matter whether the cops happen to find ten of a burglers burgulries or just a couple?

Plus there is the issue of where someone commits one act but that act happens to fit the definition of multiple crimes.

Plus it saves the system a lot of resources because the criminal is unlikely to appeal and will often ask for further crimes the police didn't know about to be taken in

You need:1. A controlling server. Preferably located in some country ending in -stan or some other country where law enforcement laughs at interpol when they ask for aid.2. An infector and sheepifyer trojan. Trivial to code.3. A few million sheep. For pointers, see facebook&twitter.

Additionally it is wise to create your trojan in such a way that you (and only you) can update it and redirect it to some other control server should yours get shut down for some odd reason. Make sure that you create a good enough challenge/response or be prepared for someone else to harvest your infections.

If you're good you can make it a P2P network, like the Skype network or the BitTorrent DHT. Have all the commands cryptographically signed; it doesn't matter where a message is coming from as long as it has the right signature. Then it will be extremely difficult for attackers to find where the controlling server is. The commands to their computer will probably be forwarded to them from some other bot near them in the network, not directly from your control server, and they can't find out where the other bo

Already happening. It's still possible to track down the originating controller.

Shutting such a botnet down is somewhere between trivial and impossible. It all depends on whether you can break their key before they change it. Since the network accepts control commands from anywhere, you "only" need to crack open its key.

But if they've coded it sanely, the private key is never stored on the bots, and the public key is used merely for verifying the validity of the command.
I guess this is the impossible end of your scale.

Consider an architecture where bots act on any command they receive with an appropriate signature (assume decent quality public/private key crypto such that a crypto crack is not an option) and retransmit any command they see to all their peers.

How would you go about finding the original injection point of a command packet bearing in mind that most of the links won't be logging packet contents?

You can't just say "assume decent quality public/private key crypto such that a crypto crack is not an option". We're not talking about breaking the encryption on something that Bruce Schneier designed. See the article for the level of coder we're talking about. Attacking the encryption would be my starting point for all of these. If it can decrypt the incoming messages, chances are there's a flaw I can find that will lead me to that key.

I don't really recommend using those kits. Few of them allow you to keep your precious bots all for yourself.;)

Seriously, what do you expect? You're buying (closed source) software to install backdoors in someone else's computer from a... well, let's say not too reputable company. Do you really expect them to let you keep the bots? Be honest!

From the other side of the game, yes. But I guess I'm not giving away any secrets by telling that. I also don't know why it's Informative. It's pretty common knowledge when you have at least a passing interest in botnet. Besides, the setup outlined above is soooo '07...

Thomas James Frederick Smith, built a custom botnet, called Nettick, which they then tried to sell to cybercriminals at the rate of US$0.15 per infected computer....

That's, like, US $3300 for the lot. He's not going to get much hookers and blow outta that.

If he did any programming at all to develop the exploit, then his wages are in the basement. (Probably right next to his 'office'.) Once you factor in the time it would have taken to propagate, test and market the botnet, this guy stood to earning the merest pittance.

Then again, he was stupid enough to turn the thing on his own ISP, so we shouldn't marvel too much over his lack of business acumen.

What's to stop him from leasing use of the botnet to multiple cyber-criminals now that he's built it up? I mean, the initial sale is just a little bit, but suppose the market for the botnet is more than just one organization, or suppose he charges by the day?

I'm not really a professional botnet organizer, so I have no idea how plausible this is.

Seems to me he's not a rocket scientist, just a script kiddie. He's not likely to really know how to monetize and leverage something like that. Perhaps he was nervous and wanted to get out, but was too greedy to just hit delete.

It seems very interesting that they were able to do this, but limited the botnet to the local ISP. In TFA they also state they "attacked" a Planet hosted server but didn't say if it was a DDOS or what. (The Planet is one of the bigger north texas hosters/data centers, I got to have a personal tour there once while working on building a data center elsewhere, they are very professional) and TFA later states they comprimised another website. What confuses me is that most botnets are installed via some sort of social engineering, be it XSS, email spam, etc. But it seems that since they were able to build it in such a short time on such a targeted demographic, that it falls closer into the spectrum of a Storm style botnet, that uses DDOS as both attack and defense. But regarding that I also don't understand the compromises of the website via a large scale like that, usually a DDOS is just that, a denial of service, if there is a vulnerability what is the use of an entire botnet? Maybe used to brute force something, or obfuscate multiple scans of vulns, but overall it seems like this was someone who stood on the shoulders of other botnet writers (would be interesting to reverse engineer the code and see) in order to make a quick buck (which is easy to do on IRC's underbellies) Anyone who pays attention at all to botnet or other malicious writers knows that if attention is directed to your code, it's fairly easy to track you down. It is also notable that this happened in 2006, and so it took this long for law enforcement to build a good enough case against them. Anyway, interesting at least to me, as I've been training up on computer forensics so its interesting to look at things like this.

The attempted sales price (U$0.15/machine, would presumably be negotiated down 0.10-0.12) is ~100x less than users would pay to not be infected, and about 1000x less than it will take to remove the malware. Any person who buys and uses the botnet will generate similar economics.

This is an obvious clear loss to humanity -- the crooks gain _very_ much less than the damage they cause. A negative sum game.

The same might be said of Goldman-Sachs: even without the front-running and counter-dealing, they mispri